Module 5: Implementing Group Policy

Module 5: Implementing Group Policy Contents Overview 1 Lesson: Creating and Configuring GPOs 2 Lesson: Configuring Group Policy Refresh Rates and Group Policy Settings 16 Lesson: Managing GPOs 27 Lesson: Verifying and Troubleshooting Group Policy 39 Lesson: Delegating Administrative Control of Group Policy 45 Lesson: Planning a Group Policy Strategy for the Enterprise 54 Lab A: Implementing Group Policy 61

Information in this document, including URL and other Internet Web site references, is subject to change without notice. Unless otherwise noted, the example companies, organizations, products, domain names, e-mail addresses, logos, people, places, and events depicted herein are fictitious, and no association with any real company, organization, product, domain name, e-mail address, logo, person, place or event is intended or should be inferred. Complying with all applicable copyright laws is the responsibility of the user. Without limiting the rights under copyright, no part of this document may be reproduced, stored in or introduced into a retrieval system, or transmitted in any form or by any means (electronic, mechanical, photocopying, recording, or otherwise), or for any purpose, without the express written permission of Microsoft Corporation. Microsoft may have patents, patent applications, trademarks, copyrights, or other intellectual property rights covering subject matter in this document. Except as expressly provided in any written license agreement from Microsoft, the furnishing of this document does not give you any license to these patents, trademarks, copyrights, or other intellectual property. 2003 Microsoft Corporation. All rights reserved. Microsoft, MS-DOS, Windows, Windows NT, Active Directory, Active X, MSDN, PowerPoint, Visio, Visual Basic, Visual C++, and Windows Media are either registered trademarks or trademarks of Microsoft Corporation in the United States and/or other countries. The names of actual companies and products mentioned herein may be the trademarks of their respective owners.

Module 5: Implementing Group Policy iii Instructor Notes Presentation: 180 minutes Lab: 75 minutes This module provides students with the knowledge and skills necessary to plan and implement a Group Policy strategy to centrally manage users and computers in an enterprise. After completing this module, students will be able to:! Create and configure Group Policy objects (GPOs).! Configure Group Policy refresh rates and Group Policy settings.! Manage GPOs.! Verify and troubleshoot Group Policy.! Delegate administrative control of Group Policy.! Plan a Group Policy strategy for the enterprise. Required materials To teach this module, you need the following materials:! Microsoft PowerPoint file 2279A_05.ppt! Macromedia Flash file 2274_6_A_IntroGP.swf! Macromedia Flash file and 2274_6_i_GP.swf Important It is recommended that you use PowerPoint 2002 or later to display the slides for this course. If you use PowerPoint Viewer or an earlier version of PowerPoint, all the features of the slides may not appear correctly. Preparation tasks To prepare for this module:! Read all of the materials for this module. Throughout the module, anticipate questions that students may ask and prepare answers for each question.! Complete the lab.! Study the practices and assessment questions and the answers that are provided. Where possible, anticipate alternate answers that students may suggest and prepare responses to those answers.! Read Module 8, Implementing Group Policy in Course 2274, Managing a Microsoft Windows Server 2003 Environment.! Read Module 9, Managing the User Environment by Using Group Policy in Course 2274, Managing a Microsoft Windows Server 2003 Environment.! Read the article, Enterprise Management with the Group Policy Management Console at: http://www.microsoft.com/windowsserver2003/gpmc/default.mspx.

iv Module 5: Implementing Group Policy How to Teach This Module This section contains information that will help you to teach this module. Important This module contains assessment items for each lesson, which are located on the Student Materials compact disc. You can use them as preassessments to help students identify areas of difficulty, or you can use them as post-assessments to validate learning. Consider using them to reinforce learning at the end of the day. You can also use them at the beginning of the day as a review for the content that you taught on the previous day. Give students 10 minutes to prepare the answers for the assessment questions. You may choose to discuss the questions and answers together or ask the students to prepare the answers on their own. Note Some topics refer to additional information in the Appendices. Students do not require this supplemental information to complete the tasks that are presented in the module. Before teaching the class, review this information on the Appendices page on the Student Materials compact disc. During the class, refer the students to the Appendices page for additional information. How To pages, practices, and labs Explain to the students how the How To pages, practices, and labs are designed for this course. A module includes two or more lessons. Most lessons include How To pages and a practice. After students complete the lessons, the module concludes with a lab. How To pages The How To pages are designed for you to demonstrate how to perform a task. The students do not perform the tasks on the How To page with you. They will use these steps to perform the practice at the end of each lesson. Practices After you present a topic and demonstrate the How To procedures for the lesson, explain that a practice gives students an opportunity to perform the tasks that were discussed in the lesson. Labs At the end of each module, students use the lab to practice the tasks that were discussed throughout the module. Each lab presents a scenario that is relevant to the students job role and a set of instructions in a two-column format. The left column provides the task (for example: Create a group). The right column contains specific instructions to perform the task (for example: in Active Directory Users and Computers, double-click the domain node). An answer key for each lab exercise is located on the Student Materials compact disc, in case the students need step-by-step instructions to complete the lab. They can also refer to the practices and How To pages in the module.

Module 5: Implementing Group Policy v Lesson: Creating and Configuring GPOs Practice In this lesson, students review basic concepts of implementing Group Policy, including how to specify a domain controller for managing GPOs, filter Group Policy settings by using Windows Management Instrumentation (WMI) filters, and configure the User Group Policy loopback processing mode. The lesson begins with a multimedia presentation that explains the basic concepts of Group Policy. Because these concepts are explained in detail in Course 2274, Managing a Microsoft Windows Server 2003 Environment, the animation summarizes the tasks. If some students are unfamiliar with basic concepts of Group Policy, refer them to Module 8, Implementing Group Policy in Course 2274. Refer students to Appendices for additional information about Group Policy container (GPC). During the practice at the end of the lesson, ask students to refer to the business scenario as they create and configure GPOs. Lesson: Configuring Group Policy Refresh Rates and Group Policy Settings Practice Lesson: Managing GPOs Practice In this lesson, students will learn how to control Group Policy processing and how Group Policy determines a slow link. Explain the order in which Microsoft Windows Server 2003 processes Group Policy settings for computers and users and then demonstrate the procedures to configure Group Policy processing. Refer students to the Appendices for additional information about Group Policy processing, a sample logon script, and the algorithm that Group Policy uses to detect slow links. In the practice at the end of the lesson, ask students to refer to the business scenario as they configure Group Policy processing. In this lesson, students learn how to manage GPOs by using the new Group Policy Management feature of Windows Server 2003. Remind students that when they install the Group Policy Management console, it replaces the Group Policy tab in Active Directory Users and Computers. In the practice at the end of the lesson, ask students to refer to the business scenario as they manage GPOs.

vi Module 5: Implementing Group Policy Lesson: Verifying and Troubleshooting Group Policy Practice This lesson explains the different utilities and command-line tools you use to identify common problems when you implement Group Policy and strategies for resolving these problems. Refer students to the Appendices page for more information about using the Gpresult.exe command-line tool to verify Group Policy settings and enabling diagnostic logging and verbose logging to monitor Group Policy. In the practice at the end of the lesson, ask students to refer to the business scenario as they verify and troubleshoot Group Policy. Lesson: Delegating Administrative Control of Group Policy Practice In this lesson, students learn how to delegate administrative control of a GPO to users who require control but do not have administrative privileges for the container that the GPO is linked to. Discuss how Group Policy Management has simplified the delegation of Group Policy. Refer students to the Appendices page for additional information about delegating administrative control. In the practice at the end of the lesson, ask students to refer to the business scenario as they delegate administrative control of Group Policy. Lesson: Planning a Group Policy Strategy for the Enterprise Practice Lab: Implementing Group Policy This lesson presents guidelines for planning a Group Policy strategy. Discuss the guidelines for determining GPO inheritance, Group Policy strategy for sites, domains, and organizational units, administration of GPOs, and deploying GPOs. In the practice at the end of the lesson, ask students to refer to the business scenario as they plan a Group Policy strategy for the enterprise. In this lab, students create and configure GPOs, link GPOs, and verify the Group Policy settings. Students will work alone. Ensure that Group Policy Management console is installed before students begin this lab. Lab Setup Setup requirement 1 The following list describes the setup requirements for the lab in this module. The lab in this module requires that the Group Policy Management console is installed. To prepare student computers to meet this requirement, ensure that students have completed the practice titled Creating and Configuring GPOs.

Module 5: Implementing Group Policy vii Lab Results Performing the lab in this module introduces the following configuration change:! Creates the Accounting, Accounts Receivable, and Accounts Payable organizational units.! Creates the Accounting, Accounts Receivable, and Accounts Payable GPOs.

Module 5: Implementing Group Policy 1 Overview Objectives You use Group Policy in the Active Directory directory service to centrally manage users and computers in an enterprise. You can centralize policies by setting Group Policy for an entire organization at the site domain or at an organizational unit level. Or, you can decentralize Group Policy settings by setting Group Policy for each department at an organizational unit level. You can ensure that users have the user environments that they require to perform their jobs and enforce an organization s policies, including business rules, goals, and security requirements. Additionally, you can lower the total cost of ownership by controlling user and computer environments, thereby reducing the level of technical support that users require and the lost user productivity due to user error. After completing this module, you will be able to:! Create and configure Group Policy objects (GPOs).! Configure Group Policy refresh rates and Group Policy settings.! Manage GPOs.! Verify and troubleshoot Group Policy.! Delegate administrative control of Group Policy.! Plan a Group Policy strategy for the enterprise.

2 Module 5: Implementing Group Policy Lesson: Creating and Configuring GPOs Lesson objectives Group Policy gives you administrative control over users and computers in your network. By using Group Policy, you can define the state of a user s work environment once, and then rely on Microsoft Windows Server 2003 to continually enforce the Group Policy settings that you defined. You can apply Group Policy settings across an entire organization or to specific groups of users and computers. After completing this lesson, you will be able to:! Explain the purpose of Group Policy and how it is processed in Active Directory.! Describe GPO components.! Explain the purpose of specifying a domain controller for GPO management.! Specify a domain controller for managing GPOs.! Explain the purpose of Windows Management Instrumentation (WMI) filters.! Filter Group Policy settings by using WMI filters.! Explain the purpose of loopback processing.! Configure the User Group Policy loopback processing mode.

Module 5: Implementing Group Policy 3 Multimedia: Review of Group Policy File location Objectives Types of settings To view the Review of Group Policy presentation, open the Web page on the Student Materials compact disc, click Multimedia, and then click the title of the presentation. Do not open this presentation unless the instructor tells you to. After completing this lesson, you will be able to:! Describe the types of settings that you can define in Group Policy.! Describe how Windows Server 2003 applies Group Policy objects. You can configure Group Policy settings to define the policies that affect users and computers. The following table presents the types of settings that you can configure. Type of setting Administrative templates Scripts Remote installation services Internet Explorer maintenance Folder redirection Security Software installation Description Registry-based settings for configuring application settings and user workstation environments Settings for specifying when Windows Server 2003 runs specific scripts Settings that control the options available to users when they run the Client Installation Wizard used by Remote Installation Services (RIS) Settings for administering and customizing Microsoft Internet Explorer on computers running Windows Server 2003 Settings for storing specific user profile folders on a network server Settings for configuring local computer, domain, and network security Settings for centralizing the management of software installations, updates, and removals

4 Module 5: Implementing Group Policy Flow of inheritance Order in which GPOs are processed Multivalued GPO settings Block Inheritance Enforced option Filter GPOs The Group Policy Management console GPOs are linked to sites, domains, and organizational units. You can set centralized policies that affect the entire organization and decentralized policies that affect a particular department. There is no hierarchy of domains like there is for organizational units, such as parent and child organizational units. The order in which Windows Server 2003 applies GPOs is based on the Active Directory container that the GPOs are linked to. Windows Server 2003 applies the GPOs first to the site, then to domains, and then to organizational units within the domains. Some GPO settings are multivalued. These settings are treated like single valued settings. That is, if the setting is defined in multiple GPOs, only the settings in one of the GPOs that adheres to the inheritance rules apply. You can prevent a child container from inheriting all GPOs from parent containers by enabling Block Inheritance on the child container. Block Inheritance is useful when an Active Directory container requires unique Group Policy settings. The Enforced (named No Override if the Group Policy Management console is not installed) option is an attribute of the link, not of the GPO. If the same GPO is linked elsewhere, the Enforced option does not apply to that link unless you modify that link as well. If you have a GPO that is linked to multiple containers, you can configure the Enforced option individually for each container. When more than one link is set to Enforced, the linked GPOs apply to a common container. If they contain conflicting settings, the GPO that is highest in the Active Directory hierarchy takes precedence. You may need to link GPOs that are associated with other directory objects. By setting the appropriate permissions for security groups, you can filter Group Policy to apply only to the computers and users you specify. The Group Policy Management console is a set of programmable interfaces for managing Group Policy and a Microsoft Management Console (MMC) snap-in that is built on those programmable interfaces. Together, the components of Group Policy Management unify the management of Group Policy across the enterprise. Note For more information about creating and linking GPOs and Group Policy inheritance, see Module 8, Implementing Group Policy, in Course 2274, Managing a Microsoft Windows Server 2003 Environment.

Module 5: Implementing Group Policy 5 GPO Components The Group Policy container The Group Policy template Windows Server 2003 applies the Group Policy settings that are contained in the GPO to the user and computer objects in the site, domain, or organizational unit that the GPO is associated with. The content of a GPO is stored in two locations: the Group Policy container (GPC) and the Group Policy template (GPT). The GPC is an Active Directory object that contains GPO status, version information, WMI filter information, and a list of components that have settings in the GPO. Computers can access the GPC to locate Group Policy templates, and domain controllers can access the GPC to obtain version information. If the domain controller does not have the most recent version of the GPO, replication occurs to obtain the latest version of the GPO. The GPT is a folder hierarchy in the shared SYSVOL folder on a domain controller. When you create a GPO, Windows Server 2003 creates the corresponding GPT, which contains all Group Policy settings and information, including administrative templates, security, software installation, scripts, and folder redirection settings. Computers connect to the SYSVOL folder to obtain the settings. The name of the GPT folder is the globally unique identifier (GUID) of the GPO that you created. It is identical to the GUID that Active Directory uses to identify the GPO in the GPC. The path to the GPT on a domain controller is systemroot\sysvol\sysvol. Note For more information about GPC, see GPO Components in Module 5 on the Appendices page on the Student Materials compact disc.

6 Module 5: Implementing Group Policy Why Specify a Domain Controller for Managing GPOs? Why select a specific domain controller? The PDC emulator Group Policy Management uses the primary domain controller (PDC) emulator in each domain as the default domain controller. To avoid replication conflicts, consider the selection of domain controller, especially because the GPO data resides in both Active Directory and the SYSVOL folder. Active Directory uses two independent replication mechanisms to replicate GPO data to the various domain controllers in the domain. If two administrators simultaneously edit the same GPO on different domain controllers, one administrator s changes can overwrite those made by the other administrator, depending on replication latency. By default, the Group Policy Management console uses the PDC emulator in each domain to ensure that all administrators use the same domain controller. However, you may not always want to use the PDC emulator. For example, if you reside in a remote location, or if the majority of the users or computers targeted by the GPO are in a remote location, you may want to target a domain controller there. Important If multiple administrators manage a common GPO, it is recommended that all administrators use the same domain controller when editing a particular GPO to avoid collisions in File Replication Services (FRS).

Module 5: Implementing Group Policy 7 Options for selecting a domain controller You can specify a domain controller to manage GPOs by selecting any of the following options:! The domain controller with the Operations Master token for the PDC emulator. This is the default and the preferred option.! Any available domain controller. When you use this option, you are likely selecting a domain controller in the local site.! Any available domain controller running Windows 2003 or later. This option is unavailable in environments that contain both Windows Server 2003 and Windows 2000 servers.! This domain controller. When you use this option, you are selecting the current domain controller.

8 Module 5: Implementing Group Policy How to Specify a Domain Controller for Managing GPOs Procedure You use the Group Policy Management console to specify a domain controller for domains or sites. To specify a domain controller, perform the following steps: 1. Open Group Policy Management, expand the forest, expand Domains, and then use one of the following methods: To specify a domain controller to use for domain operations, right-click the required domain, and then click Change Domain Controller. To specify a domain controller to use for operations on sites, right-click Sites, and then click Change Domain Controller. 2. In the Change Domain Controller dialog box, under Change to, click This domain controller, and then click OK.

Module 5: Implementing Group Policy 9 What Are WMI Filters? How does a WMI filter work? Uses of WMI filters You use Windows Management Instrumentation (WMI) filters to dynamically determine the scope of GPOs based on attributes of the user or computer. In this way, you can extend the filtering capabilities for GPOs beyond the security group filtering mechanisms that were previously available. A WMI filter is linked to a GPO. When you apply a GPO to the destination computer, Active Directory evaluates the filter on the destination computer. A WMI filter consists of one or more queries that Active Directory evaluates against the WMI repository of the destination computer. If the total set of queries is false, Active Directory does not apply the GPO. If all queries are true, Active Directory applies the GPO. You write the query by using the WMI Query Language (WQL), which is a language similar to SQL for querying the WMI repository. Each GPO can have only one WMI filter. However, you can link the same WMI filter to multiple GPOs. Like GPOs, WMI filters apply to only one domain object at a time. You can use WMI filters to target policies based on various objects in the network. The following list includes some sample uses of WMI filters.! Services. Computers where DHCP is installed and running.! Hardware inventory. Computers that have a Pentium III processor and at least 128 megabytes (MB) of RAM.! Software configuration. Computers with multicasting turned on. For client computers running Windows 2000, Active Directory ignores WMI filters and always applies the GPO. Note For more information about WMI filters, see What Are WMI Filters? in Module 5 on the Appendices page on the Student Materials compact disc.

10 Module 5: Implementing Group Policy How to Filter Group Policy Settings Using WMI Filters Procedure You can create new WMI filters from the WMI Filters container in the Group Policy Management console. You can also import a filter that was previously exported. To create a WMI filter and link it to a GPO, perform the following steps: 1. Open Group Policy Management, expand the forest that contains the GPO that you want to add a WMI filter to, expand Domains, expand the domain that contains the GPO, expand WMI Filters, right-click WMI Filters, and then click New. 2. In the New WMI Filter dialog box, in the Name box, type a name of the query. 3. In the Description box, type a description of the query. 4. Click Add. 5. In the WMI Query dialog box, in the Namespace box, type the namespace path of the query, or click Browse to see a list of available namespaces. For each query, you must specify the WMI namespace where the query is to be executed. The default namespace is root\cimv2, which should be appropriate for most scenarios. 6. In the Query box, type a valid WQL query statement, and then click OK. 7. In the New WMI Filter dialog box, click Save. 8. Expand Group Policy Objects, and then drag the WMI filter to a GPO.

Module 5: Implementing Group Policy 11 Example WQL query For example, to target computers that have more than 10 MB of available space on the C, D, or E drive, the partitions must be located on one or more hard disks and they must be running NTFS file system. Type the following WMI query: Select * FROM Win32LogicalDisk WHERE (Name = "C:" OR Name = "D:" OR Name = "E:") AND DriveType = 3 AND FreeSpace > 10485760 AND FileSystem = "NTFS" In the example, DriveType value = 3 is a hard disk. The FreeSpace units are in bytes (10 MB = 10,485,760 bytes). Note For more examples of WMI filters, see How to Filter Group Policy Settings by Using WMI Filters in Module 5 on the Appendices page on the Student Materials compact disc.

12 Module 5: Implementing Group Policy What Is Loopback Processing? Example Loopback processing modes By default, a user s GPOs determine which user settings apply when a user logs on to a computer. In contrast, loopback processing applies the set of GPOs for the computer to any user who logs on to the computer who is affected by this setting. Loopback processing is intended for special-use computers, such as computers in public places, laboratories, and classrooms, where you must modify the user setting based on the computer that is being used. For example, the user whose user object is located in the Sales organizational unit logs on to a computer. The computer object is located in the Servers organizational unit. The Group Policy settings that are applied to the user are based on any GPOs that are linked to the Sales organizational unit or to any parent containers. The settings that are applied to the computer are based on any GPOs that are linked to the Servers organizational unit or to any parent containers. This default behavior, however, may not be appropriate for certain servers or computers that are dedicated to a certain task. For example, applications that are assigned to a user should not be automatically available on a server. Loopback processing has two modes:! Replace mode. This mode replaces the user settings that are defined in the computer s GPOs with the user settings that are normally applied to the user.! Merge mode. This mode combines the user settings that are defined in the computer s GPOs and the user settings that are normally applied to the user. If the settings conflict, the user settings in the computer s GPOs take precedence over the user s normal settings.

Module 5: Implementing Group Policy 13 How to Configure the User Group Policy Loopback Processing Mode Procedure To enable loopback processing, you select the User Group Policy Loopback Processing mode option in Group Policy Management. To configure the User Group Policy Loopback Processing mode, perform the following steps: 1. Open Group Policy Management, expand the forest, expand Domains, expand your domain, and then click Group Policy Objects. 2. In the details pane, right-click the Group Policy object, and then click Edit. 3. In Group Policy Object Editor, expand Computer Configuration, expand Administrative Templates, expand System, and then click Group Policy. 4. Double-click User Group Policy loopback processing mode, if it is not already selected, click Enabled. 5. Under Mode, click Replace or Merge, and then click OK.

14 Module 5: Implementing Group Policy Practice: Creating and Configuring GPOs Objectives Scenario Practice: Installing the Group Policy Management console In this practice, you will install the Group Policy Management console and create and configure GPOs for your domain. As the systems engineer for Northwind Traders, you are responsible for implementing Group Policy for the organization. You will install Group Policy Management and create GPOs to help enforce the desktop environment. You will remove the Run menu option for all users and then remove the shut down command from the menu. You also want to apply this policy only to computers in which the C drive contains at least 10 MB of free disk space and that are configured with the NTFS file system.! Install the Group Policy Management console 1. Log on to your domain as ComputerNameUser (where ComputerName is the name of the computer you are working on) with a password of P@ssw0rd 2. Click Start, right-click Command Prompt, and then click Run as. 3. In the Run As dialog box, click The following user, type a user name of Nwtradersx\Administrator with a password of P@ssw0rd and then click OK. 4. At the command prompt, type \\LONDON\SETUP\GPMC.MSI and then press ENTER. 5. In the File Download dialog box, click Open. 6. On the Welcome to the Microsoft Group Policy Management Console Setup Wizard page, click Next. 7. On the License Agreement page, click I Agree, and then click Next. 8. On the Completing the Microsoft Group Policy Management Console Setup Wizard page, click Finish. 9. Close the command prompt.

Module 5: Implementing Group Policy 15 Practice: Creating and Configuring GPOs! Create and configure GPOs 1. Click Start, point to Administrative Tools, right-click Group Policy Management, and then click Run as. 2. In the Run As dialog box, click The following user, type a user name of YourDomain\Administrator with a password of P@ssw0rd and then click OK. 3. Expand Forest, expand Domains, expand your domain, expand Group Policy Objects, right-click Group Policy Objects, and then click New. 4. Type PracticeGPO as the name for your GPO, and then click OK. 5. Right-click your domain name, click Link an Existing GPO, click PracticeGPO, and then click OK. 6. Right-click PracticeGPO, and then click Edit. 7. In Group Policy Object Editor, under User Configuration, expand Administrative Templates, and then click Start Menu and Taskbar. 8. In the details pane, double-click Remove Run menu from Start Menu, click Enabled, and then click OK. 9. In the details pane, double-click Remove and prevent access to the Shut Down command, click Enabled, and then click OK. 10. Close Group Policy Object Editor. 11. In Group Policy Management, expand and right-click WMI Filters, and then click New. 12. Type PracticeFilter as the name for the WMI filter, click Add, type an appropriate query to retrieve the required information, click OK, and then click Save. 13. In the console tree, in the list under Group Policy Objects, click PracticeGPO. 14. In the details pane, select PracticeFilter in the This GPO is linked to the following WMI filter box. 15. In the Group Policy Management dialog box, click Yes. 16. Close Group Policy Management.

16 Module 5: Implementing Group Policy Lesson: Configuring Group Policy Refresh Rates and Group Policy Settings Lesson objectives Windows Server 2003 executes computer and user settings and policies in a specific order. By understanding Group Policy processing and their order, you can create appropriate scripts and configure refresh rates. After completing this lesson, you will be able to:! Explain the process of applying Group Policy.! Assign Group Policy Script settings.! Configure refresh rates for Group Policy components.! Configure refresh rates for domain controllers and computers.! Refresh the Group Policy settings on a user s computer by using Gpupdate.exe.

Module 5: Implementing Group Policy 17 When Is Group Policy Applied? Order in which Group Policy is applied When a user starts a computer and logs on, Windows Server 2003 processes computer settings first and then user settings. When a user starts a computer and logs on, the following things occur: 1. The network starts. Remote Procedure Call System Service (RPCSS) and Multiple Universal Naming Convention Provider (MUP) start. 2. Windows Server 2003 obtains an ordered list of GPOs for the computer. The list depends on the following factors: Whether the computer is part of a domain and therefore subject to Group Policy through Active Directory. The location of the computer in Active Directory. Whether the list of GPOs has changed. 3. Windows Server 2003 applies the computer policy. These are the settings under Computer Configuration from the gathered list of GPOs. This list is synchronous by default and in the following order: local, site, domain, organizational unit, and child organizational unit. No user interface appears while computer policies are processed. 4. The startup scripts run. The scripts are hidden and synchronous by default. Each script must be completed or time out before the next one starts. The default time-out is 600 seconds. You can use Group Policy settings to modify the default time-out. Note You can adjust the time-out value by configuring the wait time in Maximum wait time for Group Policy scripts under Computer Configuration\Administrative Templates\System\Logon\. This setting affects all scripts that run.

18 Module 5: Implementing Group Policy 5. The user presses CTRL-ALT-DEL to log on. 6. After Windows Server 2003 validates the user, it loads the user profile, which is controlled by the Group Policy settings that are in effect. 7. Windows Server 2003 obtains an ordered list of GPOs for the user. The list depends on the following factors: Whether the user is part of a domain and therefore subject to Group Policy through Active Directory. Whether loopback processing is enabled, and the state of the loopback policy setting. The location of the user in Active Directory. Whether the list of GPOs has changed. 8. Windows Server 2003 applies the user policy, which includes the settings under User Configuration from the gathered list. The settings are synchronous by default and in the following order: local, site, domain, organizational unit, and child organizational unit. No user interface appears while user policies are processed. 9. Logon scripts run. Logon scripts that are based on Group Policy are hidden and asynchronous by default. 10. The operating system user interface that Group Policy prescribes appears. User or computer refresh interval Computers running Windows Server 2003 refresh or reapply Group Policy settings at established intervals. Refreshing settings ensures that Group Policy settings are applied to computers and users even if users never restart their computers or log off. Note For more information about when Group Policy is applied and a sample logon script, see When Is Group Policy Applied? in Module 5 on the Appendices page on the Student Materials compact disc.

Module 5: Implementing Group Policy 19 How to Assign Group Policy Script Settings Procedure for copying a script When you implement a script, you use Group Policy to add the script to the appropriate setting in the GPT so that it runs during startup, shutdown, logon, or logoff. To copy a script to the appropriate GPT, perform the following steps: 1. Locate the script on your hard disk by using Windows Explorer. 2. Edit the appropriate GPO in Group Policy Management, expand either Computer Configuration (for startup and shutdown scripts) or User Configuration (for logon and logoff scripts), expand Windows Settings, and then click Scripts. 3. Double-click the appropriate script type (Startup, Shutdown, Logon, or Logoff), and then click Show Files. 4. Copy the script file from Windows Explorer to the window that appears, and then close the window. Important You cannot perform this task using Run as; you must be logged on as Administrator in order to perform this task. Procedure for adding the script To add a script to a GPO, perform the following steps: 1. In the Properties dialog box for the script type, click Add. 2. Click Browse, select a script, and then click Open. 3. Add any necessary script parameters, and then click OK. Note For more information about creating a script in the Microsoft Visual Basic, Scripting Edition (VBScript) language, see Course 2433, Microsoft Visual Basic Scripting Edition and Microsoft Windows Script Host Essentials, and Course 2439, WMI Scripting.

20 Module 5: Implementing Group Policy How to Configure Refresh Rates for Group Policy Components Group Policy and slow links Default settings If Group Policy detects a slow link, it sets a flag to indicate the slow link to the client-side extensions. The client-side extensions can then determine whether to process applicable Group Policy settings. Group Policy compares the connection speed of the link with 500 kilobytes per second (KBps) the speed that it considers slow or with a threshold of your choice. Group Policy uses an algorithm to determine whether a link is considered slow. The following table shows the default settings for slow link processing. Client-side extension Slow-link processing Refreshed Can it be changed? Registry policy processing On On No Internet Explorer Maintenance Off On Yes policy processing Software Installation policy Off N/A Yes processing Folder Redirection policy Off N/A Yes processing Scripts policy processing Off On Yes Security policy processing On On No IP Security policy processing Off On Yes Wireless policy processing Off On Yes EFS recovery policy processing On On Yes Disk Quota policy processing Off On Yes

Module 5: Implementing Group Policy 21 Procedure To configure which Group Policy components are refreshed and can be modified, perform the following steps: 1. Open the appropriate GPO in Group Policy, expand Computer Configuration, expand Administrative Templates, expand System, click Group Policy, and then double-click each item in the preceding table. 2. Click Enabled. 3. Click Do not apply during periodic background processing. 4. If available, click Allow processing across a slow network connection, and then click OK. Note For more information about the algorithm that Group Policy uses to detect slow links, see How to Configure Which Group Policy Components Are Refreshed in Module 5 on the Appendices page on the Student Materials compact disc.

22 Module 5: Implementing Group Policy How to Configure Refresh Rates for Domain Controllers and Computers Default refresh intervals You can change the default refresh rates by modifying the administrative template settings for a user or computer configuration. The following table lists the default intervals for refreshing Group Policy. Type of computer Computers running Windows XP Professional and domain member servers running Windows Server 2003 Domain controllers Refresh interval Every 90 minutes. It also refreshes on a random time offset every 30 minutes, which helps load balance application processing of Group Policy and ensures that multiple computers do not contact a domain controller at the same time. Every five minutes. This way, critical new Group Policy settings, such as security settings, are applied at least every five minutes unless you change the default setting.

Module 5: Implementing Group Policy 23 Procedure To configure refresh rates, perform the following steps: 1. Open the appropriate GPO in Group Policy, expand User Configuration or Computer Configuration (depending on which GPO you want to edit), expand Administrative Templates, expand System, click Group Policy, and then double-click one of the following settings: Group Policy refresh interval for users Group Policy refresh interval for computers Group Policy refresh interval for domain controllers 2. Select Enabled. 3. Set the refresh interval in minutes. 4. Set the random time offset, and then click OK. Note If you disable these settings, Group Policy is updated by default every 90 minutes. To specify that Group Policy should never be updated when the computer is in use, select the Turn off background refresh of Group Policy option.

24 Module 5: Implementing Group Policy How to Refresh the Group Policy Settings on a User s Computer Using Gpupdate.exe Procedure You can refresh a Group Policy object by using the gpupdate command. To refresh the Group Policy settings on a user s computer by using the gpupdate command, perform the following steps: 1. In the Run dialog box, type cmd and then press ENTER. 2. Type gpupdate [/target:{computer user}] [/force] [/wait:value] [/logoff] [/boot] The following table describes each parameter of the gpupdate syntax. Parameter /target:{computer user} /force /wait:value /logoff /boot Description Processes either the computer settings or the current user settings, depending on what destination you specify. If you do not specify this parameter, the computer and the user settings are processed by default. Reapplies all settings and ignores processing optimizations. Specifies the number of seconds that policy processing waits to finish, which by default, is 600 seconds. A value of 0 means no wait; -1 means wait indefinitely. Logs off after the policy refresh is completed. This parameter is required for Group Policy client-side extensions that do not process Group Policy settings on a background refresh cycle but do process them when the user logs on. This option has no effect if there are no extensions called that require the user to log off. Restarts the computer after the policy refresh is completed. Restarting the computer is required for those Group Policy client-side extensions that do not process Group Policy settings on a background refresh cycle but do process them when the computer starts up. This option has no effect if there are no extensions called that require the computer to be restarted.

Module 5: Implementing Group Policy 25 Practice: Configuring Group Policy Refresh Rates and Group Policy Settings Objectives Scenario Practice In this practice, you will configure the Group Policy refresh interval for client computers and then configure Group Policy settings for synchronizing offline files. Northwind Traders relies heavily on Group Policy to manage client computers and to keep the organization agile. Because of the large number of GPOs you must modify daily, you want to reduce network traffic by decreasing the refresh interval for client computers to 180 minutes and by using a random time offset of 60 minutes. People in your organization often travel and use slow dial-up connections. They also frequently visit remote sales offices that have high-speed connections to the corporate network. They need access to files that normally are accessible only by using a network connection to a file server. These files must be up to date as soon as the user logs on to the corporate network. You must configure the availability and synchronization of offline files in Group Policy for the users who require this capability.! Configure Group Policy settings 1. Open Group Policy Management as YourDomain\Administrator by using Run as. 2. Expand Forest, expand Domains, expand your domain, expand Group Policy Objects, click Group Policy Objects, right-click PracticeGPO, and then click Edit. 3. In Group Policy Object Editor, under Computer Configuration, expand Administrative Templates, expand System, and then click Group Policy. 4. Double-click Group Policy Refresh Interval for computers, click Enabled, type the appropriate time intervals, and then click OK.

26 Module 5: Implementing Group Policy 5. In Group Policy Object Editor, under User Configuration, expand Administrative Templates, expand Network, and then click Offline Files. 6. Double-click Synchronize all offline files when logging on, click Enabled, and then click OK. 7. Close Group Policy Object Editor, and then close Group Policy Management.

Module 5: Implementing Group Policy 27 Lesson: Managing GPOs Lesson objectives You use the Group Policy Management console to manage GPOs, which includes copying a GPO to another location, backing up a GPO, restoring a GPO from the backup, and importing settings from one GPO to another. After completing this lesson, you will be able to:! Explain the purpose of copying a GPO.! Copy a GPO by using Group Policy Management.! Explain the purpose of backing up a GPO.! Back up a GPO by using Group Policy Management.! Explain the purpose of restoring a GPO.! Restore a GPO by using Group Policy Management.! Explain the purpose of importing settings into a GPO.! Import settings into a GPO by using Group Policy Management.

28 Module 5: Implementing Group Policy What Is a Copy Operation? Mapping behavior for a copy operation A copy of a GPO transfers only the settings in the GPO. The newly created GPO has a new GUID and the default discretional access control list (DACL) for the GPO. The new GPO is created unlinked because links are a property of the object that defined the GPO, rather than a property of the GPO. When you copy a GPO from one domain to another, you must specify the mapping behavior of the security principals for the copy operation. Group Policy Management provides two basic mapping techniques for copying GPOs:! Copy them identically from the source! Use a migration table to map them to new values in the new GPO To use either approach, references to security principals and Universal Naming Convention (UNC) paths must exist in the source GPO. What is security principal mapping? What is a migration table? When you copy GPOs across domains or forests, Group Policy Management can perform security principal mapping. That is, it can modify settings that refer to security principals by translating the destination security principals to new values in the new GPO. If you require additional customization, you can use scripting to implement a migration table, which is an Extensible Markup Language (XML) text file that specifies custom mapping of security principals from the source domain to the destination domain. The migration table contains a security principal mapping section and a path mapping section. You use these sections to set specific mapping rules.

Module 5: Implementing Group Policy 29 How to Copy a GPO Procedure To copy a GPO, you must have permission to create GPOs in the destination domain. To copy a GPO, perform the following steps: 1. Open Group Policy Management, expand Group Policy Objects in the forest and domain that contains the GPO that you want to copy, right-click the GPO, and then click Copy. 2. Do one of the following: To place the copy of the GPO in the same domain as the source GPO, right-click Group Policy Objects, and then click Paste. i. On the Copy GPO page, select either Use the default permissions for New GPOs or Preserve the existing permissions, and then click OK. ii. When copy progress has completed, click OK. To place the copy of the GPO in a different domain, whether in the same forest or a different forest, expand the destination domain, right-click Group Policy Objects, and then click Paste. i. On the Welcome to the Cross-Domain Copying Wizard page, click Next. ii. On the Specifying permissions page, select either Use the default permissions for new GPOS or Preserve or migrate the permissions from the original GPOs, and then click Next. iii. On the Scanning Original GPO page, click Next. If the source GPO contains references to security principals and UNC paths, you will see the window mentioned in the next step. Otherwise, continue to step v.

30 Module 5: Implementing Group Policy iv. On the Migrating References page, select either Copying them identically from the source or Using this migration table to map them to new values in the new GPOs, select the migration table from the list, and then click Next. v. On the Completing the Cross-Domain Copying Wizard page, click Finish. vi. After the copy operation is completed, click OK. Note Some of these steps may not appear if you are copying a GPO to the same domain.

Module 5: Implementing Group Policy 31 What Is a Backup Operation? How to store a backup? When Group Policy Management backs up a GPO, it exports the data to a file that you choose and saves all Group Policy template (GPT) files. You can send the backed-up GPO to a folder by using a restore or import operation. You can only restore a backed-up GPO to another domain by using an import operation. You can store multiple backed-up GPOs, including versions of the same GPO, in one file folder. Regardless of how many GPOs you store in a folder, you can identify each backed-up GPO by one of the following criteria:! GPO display name! GPO GUID! Description of the backup! Date and time stamp of the backup! Domain name. You can back up one or more GPOs to a previously specified backup location, or you can specify a new backup location. Note Be sure that the backup directory is in a secure location in the file system.

32 Module 5: Implementing Group Policy How to Back Up a GPO Procedure To back up a GPO, you must have Read permission to the GPO and Write permission to the file system location where you want to store the backed-up GPO. To back up a GPO, perform the following steps: 1. Open Group Policy Management, expand the forest that contains the GPO that you want to back up, expand Domains, expand the domain that contains the GPO, expand Group Policy Objects, and then do one of the following: To back up a single GPO, right-click the GPO, and then click Back Up. To back up all GPOs, right-click Group Policy Objects, and then click Back Up All. 2. In the Backup Group Policy Object dialog box, type the path to the location where you want to store the backed-up GPO. 3. Type a description for the GPO that you want to back up, and then click Backup. 4. After the backup operation is completed, click OK.

Module 5: Implementing Group Policy 33 What Is a Restore Operation? Which GPOs can be restored? The restore operation returns the contents of the GPO to the same state it was in when the backup was performed. This operation is only valid in the domain where the GPO was created. You can restore an existing GPO or a deleted GPO that was backed up. The permissions that are required to restore a GPO depend on whether the GPO exists in Active Directory when you restore it.